Retired Senior (now termed Chief) District Judge Richard Magnus to chair the COI

The cybersecurity attack on SingHealth’s IT system, resulting in the exfiltration of 1.5 million patients’ non-medical personal data and 160,000 patients’ dispensed medicines data, is the most serious breach of personal data that Singapore has experienced.

2 The Cyber Security Agency (CSA)’s investigations have established that the attack was deliberate, targeted and carefully planned. It was not the work of casual hackers or criminal gangs. Prime Minister Lee Hsien Loong’s personal particulars and outpatient medication data were specifically and repeatedly targeted.

Committee of Inquiry

3 This incident has serious public health and safety implications. Therefore, the Minister-in-Charge of Cybersecurity, Mr S Iswaran, will convene a Committee of Inquiry (COI) under Section 9 of the Inquiries Act (Cap 139A). Mr Richard Magnus, a retired Senior (now termed Chief) District Judge and member of the Public Service Commission, has agreed to chair the COI.

4 The COI will establish the events and contributory factors leading to the cybersecurity attack, and the incident response. It will also recommend measures to better manage and secure SingHealth’s and other public sector IT systems against similar cybersecurity attacks in future.

5 The COI’s composition and Terms of Reference will be announced at a later date.

Government to Take Immediate Actions to Strengthen IT Systems

6 Meanwhile, the Government will take immediate action to strengthen our IT systems against similar cybersecurity attacks. The Minister-in-Charge of Cybersecurity has directed CSA to work closely with all 11 key sectors1 to enhance the cybersecurity of their Critical Information Infrastructure systems.

7 The Smart Nation and Digital Government Group (SNDGG) has completed a scan of all government systems and found no evidence of compromise. SNDGG will pause the introduction of new ICT systems while it reviews the cybersecurity measures of government systems, and implements any additional security safeguards which are necessary.

Ensuring Cybersecurity in the Digital Age

8 While we will do our utmost to secure our IT systems from attack, unfortunately we cannot completely eliminate the risk of another cybersecurity attack. Every country is under threat, and the attackers are constantly developing new techniques and probing for fresh weaknesses in IT systems. However, we must not allow this incident, or any others like it, to derail our plans for a Smart Nation. We must adapt ourselves to operate effectively and securely in the digital age, to deliver better public services, enhance our economic competitiveness, and create good jobs and opportunities for Singaporeans.

9 The Government takes with utmost seriousness its responsibility of ensuring the security of public sector IT systems and databases. We will learn from the experience of this deliberate and sophisticated cybersecurity attack, and implement measures to better secure our public sector IT systems and databases, and uphold public trust in our systems.

[1]Energy, Water, Banking and Finance, Healthcare, Transport (which includes Land, Maritime, and Aviation), Infocomm, Media, Security and Emergency Services, and Government.